Urbackup line end only lf and not crlf how its needed.
Mailserver doesn’t accept Mails.
Syslog: postfix/submission/smtpd[482]: bare LF received after DATA (664 bytes)
For more Information SMTP Smuggling
BUMP + more info:
I also run into this issue, updating a Debian 10 (buster) server’s Exim (from version [4.92-8] deb10u8 to deb10u9) caused the received UrBackup report’s body “squeezed”, the LF-s in the body gets replaced to spaces.
I’ve checked the difference between the 8 and 9 subrevision, and it seems that due to “CVE-2023-51766”, they introduced a patch where they replace LF-s in the body with spaces if the header’s first line is terminated not only by an LF, but a CRLF - so I assume that UrBackup uses CRLF to terminate the header’s 1st line, and plain LF’s in the message body, which should be CRLF everywhere then.
See Exim’s relevant diff below, but as I see, this is being fixed all over the other MTA-s, so this issue will be more common.
(PS: It would be great if the similar routine would be used at the “mail test”, so we could test more easier. The test also don’t accept “;” - or any otherwise delimited multiple addressee)
CVE-2023-51766.patch (diff [the relevant description part])
...
* If the first header line received in a message ends with CRLF, a subsequent
bare LF in a header line is treated in the same way as a bare CR in a
- header line.
+ header line and a bare LF in a body line is replaced with a space.
+
+ * If the first header line received in a message does not end with CRLF, a
+ subsequent LF not preceded by CR is treated as a line ending.
...
This issue will be fixed in the next release by using CR LF for mail line endings everywhere. The code is already there.
1 Like